I used the following docs to setup MMR on my CentOS 6.5 server:
I am not doing TLS between the master just between the clients and servers. Now i am looking at the error logs and I am seeing an error in the log:
[27/Jan/2015:13:31:25 -0500] NSMMReplicationPlugin - agmt="cn=ldap01.userRoot" (ldap02:389): State: wait_for_changes -> wait_for_changes
[27/Jan/2015:13:31:25 -0500] NSMMReplicationPlugin - agmt="cn=ldap01.userRoot" (ldap02:389): State: wait_for_changes -> start
[27/Jan/2015:13:31:25 -0500] NSMMReplicationPlugin - agmt="cn=ldap01.userRoot" (ldap02:389): No linger to cancel on the connection
[27/Jan/2015:13:31:25 -0500] NSMMReplicationPlugin - agmt="cn=ldap01.userRoot" (ldap02:389): Disconnected from the consumer
[27/Jan/2015:13:31:25 -0500] NSMMReplicationPlugin - agmt="cn=ldap01.userRoot" (ldap02:389): State: start -> ready_to_acquire_replica
[27/Jan/2015:13:31:25 -0500] NSMMReplicationPlugin - agmt="cn=ldap01.userRoot" (ldap02:389): State: ready_to_acquire_replica -> wait_for_changes
[27/Jan/2015:13:32:02 -0500] NSMMReplicationPlugin - conn=2347 op=3 Acquired consumer connection extension
[27/Jan/2015:13:32:02 -0500] NSMMReplicationPlugin - conn=2347 op=3 repl="dc=us1,dc=site,dc=com": Begin incremental protocol
[27/Jan/2015:13:32:02 -0500] NSMMReplicationPlugin - conn=2347 op=3 replica="dc=us1,dc=site,dc=com": Unable to acquire replica: error: permission denied
[27/Jan/2015:13:32:02 -0500] NSMMReplicationPlugin - conn=2347 op=3 repl="dc=us1,dc= site,dc=com": StartNSDS90ReplicationRequest: response=3 rc=0
[27/Jan/2015:13:32:02 -0500] NSMMReplicationPlugin - conn=2347 op=3 Relinquishing consumer connection extension
Any idea what it could be? When I first set this up I did remember to init the replica.
First late me state that I have been tasked to fix and upgrade the directory due to recent issues. I have vast experience in most other directories but not in 389 Directory space. So I have a few questions that will help in getting the directory upgraded with the most sound configuration. If someone can take the time to answer these brief questions it would be appreciated.
1. Issues with replication Groups and normal replication, the most active issue is that groups are not syncing but often even the regular replication fails.
I have read about issues with sync of groups and member\memberof attributes but this seems to be more with just replication of groups. I looked in the error log and never found any errors but restarting the service fixes the issue but sometimes it requires a manual fix to get the member\memberof set on the affected servers.
This Example just shows a quick failure of basic replication: (this is a short example but has been minutes or have to restart the service to get replication working)
[XX/Jan/20XX:16:37:50 -0500] NSMMReplicationPlugin - agmt="cn=abc123" (abc123:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later.
[XX/Jan/20XX:16:37:54 -0500] NSMMReplicationPlugin - agmt="cn=abc123" (abc123:389): Replication bind with SIMPLE auth resumed
2. Issues with changelog size is too large
The current changelog is 1.1 gig and this seems very large considering the DB is only about 40 meg. How can this be pruned to a decent size.
3. Cause of the DIRSRV stopping a lot recently after Yun OS update
I would assume this is due to a very outdated version and would expect that the upgrade should help with the stability. I might add that the failures started recently after a OS Yum update. I think it could be a compatibility issue and upgrading should aid in this.
4. Review configuration files that are manually done. I have read and am good to export the directory before the upgrade but what other files would you backup? IE DSE.LDIF? Stop the service and backup the DB files? etc
5. Issues with upgrading from 1.2.11.X to 22.214.171.124, gotchas or upgrade to 1.3 then patch to 126.96.36.199?
6. Other observations that users have experienced that may aid in a successful upgrade?
Lead Engineer, Web Hosting
555 W. Adams
Chicago, IL 60661
This email including, without limitation, the attachments, if any, accompanying this email, may contain information which is confidential or privileged and exempt from disclosure under applicable law. The information is for the use of the intended recipient. If you are not the intended recipient, be aware that any disclosure, copying, distribution, review or use of the contents of this email, and/or its attachments, is without authorization and is prohibited. If you have received this email in error, please notify us by reply email immediately and destroy all copies of this email and its attachments.
I have configured and setup a 389 test service which works perfectly when I use the console on the server running 389-ds but when I try to use the windows console to administer the service I come across a small issue. I have installed the console on a windows 7 PC and I'm able to log into the console but under server group I only have the administration server option listed and not the directory server option.
Has anyone else come across this issue?
two centos 6.6 servers
389-DS version 188.8.131.52
SSL enabled for the DS
This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system.
Howdy folks, question about the unhashed#user#password attr showing up in
the retro changelog. I've seen some mentions of it (and bug reports). I'm
running 389ds 184.108.40.206. I am not syncing to windows/AD, is there any way
to disable that from ending up in the changelog?
I read in RHDS docs that I must "stop all replication processes before
attempting to *restore* a database". Release notes of v9.1 writes about a
In previous versions of Directory Server there was no explicit way to
disable a replication agreement. The only methods to suspend replication
were to change the schedule or to delete the agreement entirely.
Q1: So if I want to restore a 9.0 multi-master config, better to delete the
replication agreement before restoring the DB, right?
Another interesting difference I found between docs of v8.x and 9.x
regarding restore is, that v8.2 docs write:
"After the database is restored, any consumers, hubs, or multi-master peers
must be reinitialized."
This statement is missing from v9 docs.
Q2: Is this no longer needed? I would think I still have to reinitialize
the multi-master peer even on v9...
I have 2 Red Hat Directory Server instances on level 9.0 and would like to
patch both to 9.1. They are operating in a master-master 2 way replication
How am I supposed to do that? I don't see much info in the official docs,
only how to patch 8.x and earlier versions. Would be nice to have at least
one of them online while patching...
Is there a way to permanently disable SSLv3 in directory server? If I
modify the dse.ldif file and set nssSSL3 to off this works until an admin
goes through the gui and makes a change to the encryption cert and saves
config. Once this happens SSLv3 is enabled again.
I've used the 389-console to define a few custom attributeType values,
and placed those values into a custom objectClass which has a parent of
I followed the documentation at
while creating my objectClass and attributeType configuration values.
When I attempt to include my custom object class "x-serviceRecord" in an
ldapadd command, the server gives me an error:
Entry "x500uniqueidentifier=*****,dc=mydc,dc=local" has unknown object class "x-serviceRecord"
I suspect I am missing some step or configuration parameter that isn't
obvious from the documentation.
Any suggestions as to how to resolve the issue would be appreciated.
- Nick Bright -
- Vice President of Technology -
- Valnet -=- We Connect You -=- -
- Tel 888-332-1616 x 315 / Fax 620-331-0789 -
- Web http://www.valnet.net/ -
- Are your files safe? -
- Valnet Vault - Secure Cloud Backup -
- More information& 30 day free trial at -
- http://www.valnet.net/services/valnet-vault -